lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Sep 20 12:51:04 2005 From: smok3f00 at gmail.com (SmOk3) Subject: phpBB 2.0.17 remote avatar size bug Title: phpBB remote avatar size bug Software: phpBB 2.0.17 (and maybe prior versions) Discovered by: David Sopas Ferreira < david at systemsecure dot org > Original link: http://www.systemsecure.org/ssforum/viewtopic.php?t=272 ? Email from phpBB ? Your report "Avatar size" has been closed because your reported issue is invalid. Classifying a report as invalid can have various reasons, most of the time the report is incomplete. If you think your report has been handled incorrecly, please submit another report at http://www.phpbb.com/security/index.php. Comment added by team member: This isn't a security problem. You can do the same thing with a standard webpage. As for checking remote avatar size, there are several inherit problems with that, which I won't detail here. As this isn't a security problem, closing. ? End Of Mail - ? ? My personnal opinion: I think this is a minor security problem. A malicious user can use larger images (for example: 1280px - 1024px) to almost damage the entire view of a topic. This, to be done, has to have Remote Avatar selected. So, if the admins don't consider this a minor security problem, what is it? A "special" feature? I don't want to criticize the phpBB coders, but why is it dificult to check out the size of a image and telling the user that that size of image it's not possible, or even block the size on the viewtopic table, something like that. ? Possible solution: Disable remote avatar or just dig in the code to set the image size you want.
Powered by blists - more mailing lists